Overview

overview

10

Static

static

PRODUCT SPEC.xll.dll

windows7_x64

1

PRODUCT SPEC.xll.dll

windows10_x64

1

PRODUCT SP...ll.dll

windows7_x64

10

PRODUCT SP...ll.dll

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PRODUCT SPEC.zip

  • Size

    562KB

  • Sample

    211020-1c6pdaaecl

  • MD5

    8a00db6216627505fab4cd708beb6f8e

  • SHA1

    0a8a0a5c26b23559129f52462550f77c120532ca

  • SHA256

    d19d3df61c00a397ad513d94b882eed5de7a394e9ee1d1a7ee143360b5302c85

  • SHA512

    06d74659245363215c7c839aa803cfa5a8580d208c7b623ebada7aad1e164d0e54b66f9e3c09b8056a90689fd722812593204afe118b6e4322c903f559c7ce6a

Score
10/10
xloaderqcrnloaderpersistenceratsuricata

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xloader

Version

2.5

Campaign

qcrn

C2

http://www.visiblegrowthagency.com/qcrn/

Decoy

tcskzs.com

duidwiplan.com

weddingdresseslongsleeve.com

anynft.art

thechristmaslightingshop.com

dhw.digital

elninofix.com

celinailsandspanyc.com

pvparkinginc.com

advertisingamanda.info

56shang.net

meja13pkv.art

morefuneducation.com

42dgj.xyz

fluffybooru.com

cryptoislands.online

hackinghoyt.com

rpwxw.com

dgltqd.com

codercraftsman.com

Targets

    • Target

      PRODUCT SPEC.xll

    • Size

      637KB

    • MD5

      53914aa37db415d0f2c0e7f3cb1682ce

    • SHA1

      5dfb5eb947abb723d86047ff2169bac75748eaa3

    • SHA256

      4f3ffa5981cca7a94a4eed697119e34157490d43ac806fb16ac5c6d237824817

    • SHA512

      2c2beb0bc6af799aa204dbef5cac67e865bbc08c5abfc5f21176fccdbd8a479649a7262956bf6f8546983fab141a1e954ec030bb2a18ff792cd785970c8f94d4

    Score
    1/10
    behavioral1behavioral2

    • Target

      PRODUCT SPECIFICATION.xll

    • Size

      553KB

    • MD5

      9f74a93c7a015aefdf3a5f63027809e2

    • SHA1

      182f6a8da5ed8e220a1896b4d45aac220db7dcf3

    • SHA256

      9dedd6b7ed7d6c47bb7a7af88b925430bfb2c7d5f377a4d96c1af7b9cb62707d

    • SHA512

      1d2035e050a817ecf81a27ccc936460359304517f019764be888ce5f9c9228f253278dedffc1afdc15b6615224b0c3f7cccada33cf54fd93386a507bffa5f055

    Score
    10/10
    xloaderqcrnloaderpersistenceratsuricata

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks